The GRC Red Flag Series: Navigating Privacy Regulations in 2021 & Building a Privacy Program

Privacy has become a field of landmines that organizations have to carefully navigate through. From the EU GDPR, California’s CCPA, South Africa POPIA, Canada’s PIPEDA, Australia’s Privacy Act, … the list goes on and on and on. With the potential for a Federal U.S. privacy law, it is about to become even more complex.

However, privacy is much more than complying with laws and regulations. In one large insurance company, the Chief Privacy Officer pointed to the plaque on her wall with the company mission statement about doing the right thing for the customer. She said, that is what privacy is about here. They go beyond regulation to ensure their clients data is used properly, with consent, and protected.

In today’s new era of ESG - Environmental, Social, Governance - we are seeing even more focus put on the principles of privacy under the S in ESG, the social aspect. Privacy of personal information is a social right and needs to be protected as part of the integrity and values of an organization.

Privacy is much more than data protection/security. Privacy is about the integrity and accuracy of data, the right of individuals to control and have access to their personal data, its appropriate and approved use, and data protection. This gets quite complicated in today’s environment of the extended enterprise in managing privacy risk and compliance across third-party relationships that are part of the organizations processes.